The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.

Personal note:

Since domain controllers are off-limits (regarding open ports), you are left to install the Certificate Enrollment Web Service role service on a plain member server

Question No: 52 – (Topic 1)

You have a domain controller that runs Windows Server 2008 R2 and is configured as a DNS server.

You need to record all inbound DNS queries to the server. What should you configure in the DNS Manager console?

Enable debug logging.

Enable automatic testing for simple queries.

Configure event logging to log errors and warnings.

Enable automatic testing for recursive queries.

Answer: A Explanation:

http://technet.microsoft.com/en-us/library/cc753579.aspx DNS Tools

Event-monitoring utilities

The Windows Server 2008 family includes two options for monitoring DNS servers: Default logging of DNS server event messages to the DNS server log.

DNS server event messages are separated and kept in their own system event log, the DNS server log, which you can view using DNS Manager or Event Viewer.

The DNS server log contains events that are logged by the DNS Server service. For example, when the DNS server starts or stops, a corresponding event message is written to this log. Most additional critical DNS Server service events are also logged here, for example, when the server starts but cannot locate initializing data and zones or boot information stored in the registry or (in some cases) Active Directory Domain Services (AD DS).

You can use Event Viewer to view and monitor client-related DNS events. These events appear in the System log, and they are written by the DNS Client service at any computers running Windows (all versions).

Optional debug options for trace logging to a text file on the DNS server computer.

Question No: 53 – (Topic 1)

Your company has a main office and a branch office. The company has a single-domain Active Directory forest. The main office has two domain controllers named DC1 and DC2 that run Windows Server 2008 R2. The branch office has a Windows Server 2008 R2 read- only domain controller (RODC) named DC3.

All domain controllers hold the DNS Server role and are configured as Active Directory- integrated zones. The DNS zones only allow secure updates.

When a client attempts a dynamic update, it sends a start of authority (SOA) query to its preferred Domain Name System (DNS) server. Typically, clients are configured to use the DNS server in their branch site as their preferred DNS server. The RODC does not hold a writeable copy of the DNS zone. Therefore, when it is queried for the SOA record, it returns the name of a writable domain controller that runs Windows Server 2008 or later and hosts the Active Directory-integrated zone, just as a secondary DNS server handles updates for

zones that are not Active Directory-integrated zones. After it receives the name of a writable domain controller that runs Windows Server 2008 or later, the client is then responsible for performing the DNS record registration against the writeable server. The RODC waits a certain amount of time, as explained below, and then it attempts to replicate the updated DNS object in Active Directory Domain Services (AD DS) from the DNS server that it referred the client to through an RSO operation.

Note:

For the DNS server on the RODC to perform an RSO operation of the DNS record update, a DNS server that runs Windows Server 2008 or later must host writeable copies of the zone that contains the record. That DNS server must register a name server (NS) resource record for the zone. The Windows Server 2003 Branch Office Guide recommended restricting name server (NS) resource record registration to a subset of the available DNS servers. If you followed those guidelines and you do not register at least one writable DNS server that runs Windows Server 2008 or later as a name server for the zone, the DNS server on the RODC attempts to perform the RSO operation with a DNS server that runs Windows Server 2003. That operation fails and generates a 4015 Error in the DNS event log of the RODC, and replication of the DNS record update will be delayed until the next scheduled replication cycle.

This topic describes best practices for installing Domain Name System (DNS) servers to support Active Directory Domain Services (AD DS) in branch office environments.

As a best practice, use Active Directory-integrated DNS zones, which are hosted in the application directory partitions named ForestDNSZones and DomainDNSZones. The following guidelines are based on the assumption that you are following this best practice. In branch offices that have a read-only domain controller (RODC), install a DNS server on each RODC so that client computers in the branch office can still perform DNS lookups when the wide area network (WAN) link to a DNS server in a hub site is not available. The best practice is to install the DNS server when you install AD DS, using Dcpromo.exe.

Otherwise, you must use Dnscmd.exe to enlist the RODC in the DNS application directory partitions that host Active Directory-integrated DNS zones.

Note: You also have to configure the DNS client’s setting for the RODC so that it points to itself as its preferred DNS server.

To facilitate dynamic updates for DNS clients in branch offices that have an RODC, you should have at least one writeable Windows Server 2008 DNS server that hosts the corresponding DNS zone for which client computers in the branch office are attempting to make DNS updates. The writeable Windows Server 2008 DNS server must register name server (NS) resource records for that zone.

By having the writeable Windows Server 2008 DNS server host the corresponding zone,

client computers that are in branch offices that are serviced by RODCs can make dynamic updates more efficiently. This is because the updates replicate back to the RODCs in their respective branch offices by means of a replicate-singleobject (RSO) operation, rather than waiting for the next scheduled replication cycle.

For example, suppose that you add a new member server in a branch office, Branch1, which includes an RODC. The member server hosts an application that you want client computers in Branch1 to locate by using a DNS query. When the member server attempts to register its host (A or AAAA) resource records for its IP address to a DNS zone, it performs a dynamic update on a writeable Windows Server 2008 or Windows Server 2008 R2 DNS server that the RODC tracks in Branch1. If a writeable Windows Server 2008 DNS server hosts the DNS zone, the RODC in Branch1 replicates the updated zone information as soon as possible from the writeable Windows Server 2008 DNS server. Then, client computers in Branch1 can successfully locate the new member server by querying the RODC in Branch1 for its IP address.

If you do not have a writeable Windows Server 2008 DNS server that hosts the DNS zone, the update can still succeed against Windows Server 2003 DNS server if one is available but the updated record in the DNS zone will not replicate to the RODC in Branch1 until the next scheduled replication cycle, which can delay client computers that use the RODC DNS server for name resolution from locating the new member server.

Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers.

Windows Vista includes the ability to collect copies of events from multiple remote computers and store them locally. To specify which events to collect, you create an event subscription. Among other details, the subscription specifies exactly which events will be collected and in which log they will be stored locally. Once a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events.

Using the event collecting feature requires that you configure both the forwarding and the collecting computers.

Question No: 55 – (Topic 1)

Your company has a main office and 10 branch offices. Each branch office has an Active Directory site that contains one domain controller. Only domain controllers in the main office are configured as Global Catalog servers.

You need to deactivate the Universal Group Membership Caching (UGMC) option on the domain controllers in the branch offices.

http://gallery.technet.microsoft.com/scriptcenter/c1bd08d2-1440-40f8-95be-ad2050674d91 Script to Disable Universal Group Membership Caching in all Sites

How to Disable Universal Group Membership Caching in all Sites using a Script Starting with Windows Server 2003, a new feature called Universal Group Membership

Caching (UGMC) caches a user’s membership in Universal Groups on domain controllers authenticating the user. This feature allows a domain controller to have knowledge of Universal Groups a user is member of rather than contacting a Global Catalog.

Unlike Global group memberships, which are stored in each domain, Universal Group memberships are only stored in a Global Catalog. For example, when a user who belongs to a Universal Group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the Global Catalog provides Universal Group membership information for the user’s account at the time the user logs on to the domain to the authenticating domain controller.

UGMC is generally a good idea for multiple domain forests when:

Universal Group membership does not change frequently.

Low WAN bandwidth between Domain Controllers in different sites.

It is also recommended to disable UGMC if all Domain Controllers in a forest are Global Catalogs.

Question No: 56 – (Topic 1)

Your company has an Active Directory domain. All servers run Windows Server. You deploy a Certification Authority (CA) server.

You create a new global security group named CertIssuers.

You need to ensure that members of the CertIssuers group can issue, approve, and revoke

certificates.

What should you do?

Assign the Certificate Manager role to the CertIssuers group

Place CertIssuers group in the Certificate Publisher group

Run the certsrv -add CertIssuers command promt of the certificate server

Run the add -member-membertype memberset CertIssuers command by using Microsoft Windows Powershell

Role-based administration involves CA roles, users, and groups. To assign a role to a user or group, you must assign the role#39;s corresponding security permissions, group memberships, or user rights to the user or group.

These security permissions, group memberships, and user rights are used to distinguish which users have which roles. The following table describes the CA roles of role-based administration and the groups relevant to role-based administration.

Question No: 57 – (Topic 1)

An Active Directory database is installed on the C volume of a domain controller. You need to move the Active Directory database to a new volume.

What should you do?

Copy the ntds.dit file to the new volume by using the ROBOCOPY command.

Move the ntds.dit file to the new volume by using Windows Explorer.

Move the ntds.dit file to the new volume by running the Move-item command in Microsoft Windows PowerShell.

Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.

Answer: D Explanation:

Answer: Move the ntds.dit file to the new volume by using the Files option in the Ntdsutil utility.

http://technet.microsoft.com/en-us/library/cc816720(v=ws.10).aspx Move the Directory Database and Log Files to a Local Drive

You can use this procedure to move Active Directory database and log files to a local drive. When you move the files to a folder on the local domain controller, you can move them permanently or temporarily. Move the files to a temporary destination if you need to reformat the original location, or move the files to a permanent location if you have additional disk space. If you reformat the original drive, use the same procedure to move the files back after the reformat is complete. Ntdsutil.exe updates the registry when you move files locally. Even if you are moving the files only temporarily, use Ntdsutil.exe so that the registry is always current.

On a domain controller that is running Windows Server 2008, you do not have to restart the domain controller in Directory Services Restore Mode (DSRM) to move database files. You can stop the Active Directory Domain

Services (AD DS) service and then restart the service after you move the files to their permanent location.

To move the directory database and log files to a local drive:

At the ntdsutil prompt, type files, and then press ENTER.

To move the database file, at the file maintenance: prompt, use the following commands:

Windows Server 2003/2008 Directory Service opens its files in exclusive mode. This means that the files cannot be managed while the server is operating as a domain controller. To perform any files movement related activities using ntdsutil, we need to start the server in Directory Services Restore Mode.

To start the server in Directory Services Restore mode, follow these steps: Restart the computer.

After the BIOS information is displayed, press F8.

Use the DOWN ARROW to select Directory Services Restore Mode, and then press ENTER.

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Log on with your local administrative account and password. (Not Domain Administrative account)

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Note: using service control (SC.exe) you can verify quickly ntds services are running or stopped. In command prompt type SC query ntds

C:\Documents and Settings\usernwz1\Desktop\1.PNG Step 2

How to Move Active Directory Database and Logs

You can move the Ntds.dit data file to a new folder. If you do so, the registry is updated so that Directory

Service uses the new location when you restart the server. To move the data file to another folder, follow these steps:

Click Start, click Run, type ntdsutil in the Open box, and then press ENTER.

C:\Documents and Settings\usernwz1\Desktop\1.PNG

At the Ntdsutil command prompt, type activate instance ntds, and then press ENTER.

C:\Documents and Settings\usernwz1\Desktop\1.PNG

At the Ntdsutil command prompt, type files, and then press ENTER.

C:\Documents and Settings\usernwz1\Desktop\1.PNG

At the file maintenance command prompt, type move DB to lt;new locationgt; (where new location is an existing folder that you have created for this purpose) and then press ENTER.

In this case, the new location for database is C:\AD\Database Now

C:\Documents and Settings\usernwz1\Desktop\1.PNG

Now to move logs , at the file maintenance command prompt, type move logs to lt;new locationgt; (where new location is an existing folder that you have created for this purpose) and then press ENTER. In our case, the new location for database is C:\AD\Logs

C:\Documents and Settings\usernwz1\Desktop\1.PNG

To quit file maintenance, type quit. Again to Ntdsutil, type quit to close the prompt Restart the computer. AD database and Logs are moved successfully to new location.

Question No: 58 – (Topic 1)

Your company has a single Active Directory domain named intranet.adatum.com. The domain controllers run Windows Server 2008 and the DNS server role. All computers, including non-domain members, dynamically register their DNS records.

You need to configure the intranet.adatum.com zone to allow only domain members to dynamically register DNS records.

Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.

Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you directory-integrate a zone, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.

How to force replication of Domain Controllers From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s.

Below is a command to replicate from a specified DC to all other DC’s.

Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.